Weak passwords and ancient software left U.S. Government data vulnerable, DHS report finds

Weak passwords and rarely updated software are a recurring theme behind the 48,000 cyber incidents reported to the Department of Homeland Security – including the theft of data on the nation’s weakest dams by a “malicious intruder”, and an incident where hackers broadcast a malicious warning about a zombie attack via several American TV stations, a DHS report has found.

“Data on the nation’s weakest dams, including those which could kill Americans if they failed, were stolen by a malicious intruder,” the report, titled The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure” said, “Nuclear plants’ confidential cybersecurity plans have been left unprotected. Blueprints for the technology undergirding the New York Stock Exchange were exposed to hackers.”

The report was based on information from more than 40 previous investigations by inspectors general, according to Mashable’s report. Mashable described weak passwords as a recurring theme of the 17-page report, and said that “password” remains a common choice for government employees.

The report highlighted a series of breaches, including a reported attack on a national emergency broadcast system which led TV stations in Michigan, Montana and North Dakota to broadcast fake zombie attack warnings. “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

The report was blunt about who to blame: “real lapses” by government employees, including software governing physical access to secure sites which was several years out of date, and “weak or default” passwords guarding servers containing sensitive information. The report cited an instance of 10 passwords written down and left on desks in the office of the Chief Information Officer for U.S. Immigration and Customs Enforcement.

Websites including the DHS’s own pro-security site ‘Build Security In’ – built to encourage developers to ““to build security into software in every phase of its development” – also contained known vulnerabilities, the report said. Republican Senator Tom Coburn, who chaired the committee, told the Washington Post, “They aren’t even doing the simple stuff.”

At the Nuclear Regulatory Commission, “a general lack of confidence” led staff to buy and deploy computer networks without the knowledge of their own IT staff. ZDNet’s report described government sites and systems as “ripe with vulnerabilities”.

The report said that many intrusions were the result of poorly updated software, including AV software.

“While cyber intrusions into protected systems are typically the result of sophisticated hacking, they often exploit mundane weaknesses, particularly out-of-date software,” the report said. “Even though they sound boring, failing to install software patches or update programs to their latest version create entry points for spies, hackers and other malicious actors. Last July, hackers used just that kind of known, fixable weakness to steal private information on over 100,000 people from the Department of Energy. The department’s Inspector General blamed the theft in part on a pieceofsoftware which had not been updated in over two years, even though the department had purchased the upgrade.”

“Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems and our citizens’ personal information,” Senator Coburn said in a press release. “While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing.”